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Abstract — In this paper, a new pseudo-random number gen- 
erator 

(PRNG) based on chaotic iterations is proposed. This method 
also combines the digits of two XORshifts PRNGs. The statistical 
properties of this new generator are improved: the generated 
sequences can pass all the DieHARD statistical test suite. 
In addition, this generator behaves chaotically, as defined by 
Devaney. This makes our generator suitable for cryptographic 
applications. An illustration in the field of data hiding is pre- 
sented and the robustness of the obtained data hiding algorithm 
against attacks is evaluated. 

Keywords -OaaiOtic sequences; Topological chaos; Pseudo- 
random number generator; Statistical tests; Internet security; 
data hiding; Discrete chaotic iterations. 

I. Introduction 

A pseudo-random number generator (PRNG) is an algo- 
rithm for generating a sequence of numbers that is supposed 
to be indistinguishable from a uniformly chosen random 
sequence tZJ. The sequence is not truly random in that it 
is completely determined by a relatively small set of initial 
values, called the PRNG's seed. Compare to hardware-based 
approaches, these PRNGs must be easy to generate and 
process, but are less closer to truly random behavior. PRNGs 
play an important role in practice for a whole range of ap- 
plications such as information security, statistics (samplings, 
simulations and Monte-Carlo techniques), video games and 
gambling machines, to name a few f4l. These PRNGs are 
often based on logical operations like bitwise exclusive or 
(XOR) and on circular shift of bit vectors. XORshift, designed 
by George Marsaglia fg], is a popular example of such 
generators. However, the security level of some PRNGs of this 
kind has been revealed to be inadequate by today's standards. 
We investigated whether it would be possible to combine two 
generators in some way that would give better properties than 
the individual components alone. 

This paper extends the study started in 121 and ifTSl . In IJl, it 
is proven that chaotic iterations (CIs), a suitable tool for fast 
computing iterative algorithms, satisfies the chaos property, 
as it is defined by Devaney 13]. In ifTSl . the chaotic behavior 
of CIs are exploited in order to obtain an unpredictable 
PRNG. This generator, based on chaotic iterations, depends 
on two input sequences. In ITSl . these two sequences are 
constituted by two logistic maps. This novel generator has 
successfully passed the NIST (National Institute of Standards 
and Technology of the U.S. Government) battery of tests ifTol . 
In this new paper, we achieve to improve the speed of the 
former PRNG, by using two XORshifts in place of the logistic 
map. In addition, this new version of our PRNG is able to pass 
the famous DieHARD statistical battery of tests i8J. And its 



security is improved compared to XORshift alone, and to our 
former PRNG. After presenting the theoretical framework of 
the study, a concrete example of how to use these pseudo- 
random numbers in the field of data hiding is detailed. An 
analysis focuses on the watermarked images which have 
akeady been subjected to common image distortion attacks. 
It is shown that sequences generated from this generator have 
a good robustness in the presence of such attacks. 
The rest of this paper is organized in the following way: in 
Section|II] some basic definitions concerning chaotic iterations 
and PRNGs are recalled. Then, the generator based on discrete 
chaotic iterations is presented in Section |III] In Section |IV| 
we show that the proposed PRNG passes the DieHARD 
statistical tests. In Sections |V] and IVII there is a discussion 
on a potential application scenario to watermarking. Finally, 
some conclusions and future work are drawn in Section IVIII 

II. Basic recalls 

This section is devoted to basic notations and terminologies 
in the fields of chaotic iterations and PRNGs. 



Notations 

II; NI - 

s" - 



^{1,2,. ..,iV} 

the n*^ term of a sequence s = (s^, s^, . . .) 
-> the i*'' component of an array v ~ {vi,V2, ■ . ■ 
— > fc*'' composition of a function / 
/^■ = /^^ 

k times 

strategy — > a sequence which elements belong in |1; N| 
§ — >■ the set of all strategies 
® — >■ bitwise exclusive or 
+ — > the integer addition 
<C and the usual shift operators 

B. Chaotic iterations 

Definition 1 The set IB denoting {0, 1}, let f : — > 

be an "iteration" function and 5* G S be a chaotic strategy. 
Then, the so-called chaotic iterations are defined by 

.,,0 ^ trN 



Vn e lN*,Vi e [l;N],a;f 



^n-l if 5-" ^ j 
/(a;"-i)s" if S"=t. 



(1) 

In other words, at the n*^ iteration, only the S*"— th cell is 
"iterated". Note that in a more general formulation, S"" can 
be a subset of components and f{x^''~^)s" can be replaced by 
f{x'')s" (where k < n), thus describing for example, delays 
due to transmissions (see e.g. HI). For the general definition 
of such chaotic iterations, see, e.g. ifTDl . 



Input: X (a 32-bit word) 



Output: r (a 32-bit word) 



X® (x < 13); 
X ^ xffi (a; > 17); 
X ^ a; ® (x < 5); 
r z; 
return r; 



An arbitrary round of XORshift 



Table I: XORshift and CI algorithms 



Chaotic iterations generate a set of vectors (boolean vector in 
this paper), they are defined by an initial state a;°, an iteration 
function / and a chaotic strategy S. 

C. XORshift 

XORshift is a category of very fast PRNGs designed by 
George Marsaglia [91. It repeatedly uses the exclusive or 
(XOR) on a number, with a bit shifted copy of itself by a 
positions either to the right or to the left, where Q < a < w 
and w ~ '62 or: 64. The initial state of a XORshift generator is 
a given vector of bits. At each step, the next state is obtained 
by applying a given number of XORshift operations as defined 
in TableHl This algorithm has a period of 2^"^ — 1 = 4.29x10^. 

D. Input sequences 

In IfTSl . we have used two logistic maps lfT4ll as input 
sequences to define a novel PRNG (called CI PRNG) based 
on chaotic iterations. We have mathematically proven that it 
behaves chaotically, as defined by Devaney. In addition, this 
generator can successfully pass the NIST tests suite. However, 
chaotic systems like logistic maps work in the real numbers 
domain, and therefore a transformation from real numbers into 
integers is needed. This process leads to a degradation of the 
chaotic behavior of the generator and a lot of time wasted 
during computations f5|. Our purpose is then to improve the 
speed of this former generator and grant its chaotic properties 
by using a faster PRNG, namely XORshift. Moreover, we will 
show in Section IIV-BI that this new generator can pass the 
famous DieHARD battery of tests. 

III. The generation of CI pseudo-random sequence 

The design of the PRNG based on discrete chaotic iterations 
is proposed in this section, while its performance is evaluated 
in the next one. 

A. Chaotic iterations as PRNG 

The novel generator is designed by the following pro- 
cess. Let N G ]N*,N ^ 2. Some chaotic iterations 
are done, which generate a sequence G (B'^) 

of boolean vectors: the successive states of the iterated 
system. Some of those vectors are chaotically extracted 
and their components constitute our pseudo-random bit 
flow. Chaotic iterations are realized as follows: initial state 
^,0 g ]gN ^ boolean vector taken as a seed and chaotic 
strategy {S'')^^^ G |1,N]''^ is constructed with XORshift. 
Lastly, iterate function / is the vectorial boolean negation 



Input: the internal state x 

(x is an array of N 1-bit words) 



Output: an array r of N 1-bit words 



XORshiftl{); 
m -i— a mod 2 + c 
for i = 0, . . . , m do 

b ^ XORshift2{); 
S <- b mod N; 



xs i 
end for 
r <— x; 
return r; 



■ xs; 



An arbitrary round of CI generator 



Table II: CI algorithms 



To sum up, at each iteration, only S'-th component of state 
is updated as follows 

-1 



if i 7^ 



if i = S\ 



(2) 



Finally, let be a finite subset of IN* . Some are selected 
by a sequence m" as the pseudo-random bit sequence of our 
generator The sequence (m")„g]N G A4^ is computed with 
XORshift. So, the generator returns the following values: 

• the components of a;™", 

• following by the components of x"^ +™ , 

• following by the components of a;™ , 

• etc. 

In other words, the generator returns the following bits: 



mo mo mo 



mo mo+mi mo+mi 



mo+mi mo+mi+m2 ,mo+mi-t-m2 



/o : (xi, ...,xn) e 



(xi, ...,xn) e 



and its k bit is equal to 

^k+l (mod IM)- 

The basic design procedure of the novel generator is summed 
up in Table [III The internal state is x, the output array is r; 
a and b are those computed by the two XORshift generators. 
Lastly, c and N are constants and = {c,c-i-l} (c ^ 3N is 
recommended). 

B. Example 

In this example, N = 5 and = {4,5} are adopted 
for easy understanding. The initial state of the system a;° 
can be seeded by the decimal part of the current time. For 
example, the current time in seconds since the Epoch is 
1237632934.484084, so t = 484084. x° = t (mod 32) in 
binary digits, then x" = (1,0,1,0,0). m and S can now be 
computed from two XORshift PRNGs: 

TO = 4, 5, 4, 4, 4, 4, 5, 5, 5, 5, 4, 5, 4,... 

5 = 2, 4, 2, 2, 5, 1, 1, 5, 5, 3, 2, 3, 3,... 

Chaotic iterations are made with initial state a:°, vectorial 
logical negation /o and strategy S. The result is presented in 
Table |lll] Let us recall that sequence to gives the states a;" 
to return: a;"*, a;^+^ .t4+''^+4, . . . 

So, in this example, the output of the generator is: 
10100111101111110011... 

C. Chaotic properties 

Despite a large number of papers published in the field of 
chaos-based PRNGs, the impact that this research has made 
on conventional information security is rather marginal. This 



Table III: Application example 
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Output: x?x§x§x2xgxfa;|x|x|x|a;fa;^x|a;| a;|xfx^33,i32.l32,l3^^^ ^ 10100111101111110011... 



is due to the following reasons: almost all chaotic algorithms 
are based on dynamical systems defined on the set of real 
numbers. So these generators are usually slow, require con- 
siderably more storage space and lose some of their chaotic 
properties during computations. These major problems restrict 
their use in security fields as cryptography IS). 
The PRNG proposed in this paper does not inherit its chaotic 
properties from a real chaotic map, but from chaotic iterations 
defined in Section III-BI It has been proven in [2] that CIs 
behave as chaos, as it is defined by Devaney: they are 
regular, transitive and sensitive to initial conditions. This most 
famous definition of chaotic behavior for a dynamical system 
implies various desired properties in information security, 
such as: unpredictability, mixture, sensitivity, and uniform 
repartition. The principal interest of CIs is that they can be 
used without real numbers. Indeed, the sequence inputed in 
chaotic iterations constitutes a coordinate of its initial state, 
and the chaotic behavior of a dynamical system does not 
depend on this initial state. So if we take integer sequences 
as input instead, then CIs become faster while preserving 
their chaotic properties. This allows the conception of a new 
generation of fast and chaotic PRNGs 

IV. Testing a generator 

Here, the empirical tests have been carried out, making use 
of the DieHARD statistical test suite. In this section we will 
briefly review the approach taken together with key results 
and conclusions. It is not our intention to document these 
tests in detail in the present section, since it has been done 
several times in many other papers ll8l. lfT2l . lfT3l . 

A. DieHARD battery of tests 

DieHARD battery of tests has been a stringent standard 
for evaluating PRNGs for over a decade. Passing this battery 
is considered as a good rule of thumb to validate a PRNG. 
DieHARD battery consists of 18 different independent sta- 
tistical tests. This collection of tests is based on assessing 
the randomness of bits comprising 32-bit integers obtained 
from a random number generator. Each test requires 2^^ 32- 
bit integers in order to run the full set of tests. 
Most of the tests in DieHARD return a value, which should 
be uniform on [0, 1) if the input file contains truly independent 
random bits. Those p— values are obtained hy p ~ F{X)^ 
where F is the assumed distribution of the sample random 
variable X-often supposed as normal distribution. But that 
assumed F is just an asymptotic approximation, for which 
the fit will be worst in the tails. Thus occasional p— values 



Table IV: Results of DieHARD battery of tests 
No. Test name Generators 

XORshift PRNG (Chaotic iterations) 

1 
2 



3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 
14 
15 
16 
17 
18 



near or 1, such as 0.0012 or 0.9983, are not surprising. 
An individual test is considered to be a failure if its p— value 
approaches 1 more closely, for example p > 0.9999. 

B. Analysis 

Table |IV] gives the results derived from applying the 
DieHARD battery of tests to the RNGs considered in this 
work. As it can be observed, the results of the individual 
tests Count the ones 1, Binary Rank 31 x 31 and Binary 
Rank 32 x 32 show that in the random numbers obtained 
with the XORshift generator only the least significant bits 
seem to be independent. This explains the poor behavior of 
this RNG in the aforementioned basic tests that evaluate the 
independence of real numbers. But the generator based on 
discrete chaotic iterations can pass all the DieHARD battery 
of tests. This proves that the security of the given generator 
has been improved by CIs. 
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V. Application example in digital watermarking 

Information hiding has recently become a major informa- 
tion security technology, especially with the increasing impor- 
tance and widespread distribution of digital media through 
the Internet [|T6]| . It includes several techniques Uke digital 
watermarking. The aim of digital watermarking is to embed 
a piece of information into digital documents, such as pic- 
tures or movies. This is for a large panel of reasons, such 
as: copyright protection, control utilization, data description, 
content authentication, and data integrity. For these reasons, 
many different watermarking schemes have been proposed 
in recent years. Digital watermarking must have essential 
characteristics, including: security, imperceptibility, and ro- 
bustness. Chaotic methods have been proposed to encrypt the 
watermark before embedding it in the carrier image for these 
security reasons. In this paper, a new watermarking algorithm 
is given. It is based on the chaotic PRNG presented above. 

A. Most and least significant coefficients 

Let us first introduce the definitions of most and least 
significant coefficients. 

Definition 2 For a given image, the most significant co- 
efficients (in short MSCs), are coefficients that allow the 
description of the relevant part of the image, i.e. its most rich 
part (in terms of embedding information), through a sequence 
of bits. 

For example, in a spatial description of a grayscale image, a 
definition of MSCs can be the sequence constituted by the first 
three bits of each pixel as shown in Figure 1(a). In a discrete 
cosine frequency domain description, each 8x8 block of the 
carrier image is mapped to a list of 64 coefficients. The energy 
of the image is contained in the first of them. After binary 
conversion, the first fourth coefficients of all these blocks can 
constitute a possible sequence of MSCs. 

Definition 3 By least significant coefficients (LSCs), we 
mean a translation of some insignificant parts of a medium in 
a sequence of bits (insignificant can be understand as: "which 
can be altered without sensitive damages")- 

These LSCs can be for example, the last three bits of the 
gray level of each pixel, in the case of a spatial domain 
watermarking of a grayscale image, as in Figure 1(b). 




(a) MSCs of Lena (b) LSCs of Lena 

Figure 1 . Spatial MSCs and LSCs of Lena. 



Discrete cosine, Fourier, and wavelet transform can be used 
to define LSCs and MSCs, in the case of frequency domain 
watermarking, among other possible choices. Moreover, these 
definitions are not limited to image media, but can easily be 
extended to the audio and video media as well. 
LSCs are used during the embedding stage: some of the least 
significant coefficients of the carrier image will be chaotically 
chosen and replaced by the bits of the mixed watermark. With 



a large number of LSCs, the watermark can be inserted more 
than once and thus the embedding will be more secure and 
robust, but also more detectable. 

The MSCs are only useful in the case of authentication: 
encryption and embedding stages depend on them. Hence, a 
coefficient should not be defined at the same time, as a MSC 
and a LSC; the last can be altered, while the first is needed 
to extract the watermark. 

B. Stages of the algorithm 

Our watermarking scheme consists of two stages: (1) mix- 
ture of the watermark and (2) its embedding. 

1) Watermark mixture.: Firstly, for safety reasons, the 
watermark can be mixed before its embedding into the image. 
A common way to achieve this stage is to use the bitwise 
exclusive or (XOR), for example, between the watermark and 
the above PRNG. In this paper, we will use another mixture 
scheme based on chaotic iterations. Its chaotic strategy, de- 
fined with our PRNG, will be highly sensitive to the MSCs, 
in the case of an authenticated watermark, as stated in 121. 

2) Watermark embedding.: Some LSCs will be substituted 
by all bits of the possibly mixed watermark. To choose the 
sequence of LSCs to be altered, a number of integers, less 
than or equal to the number N of LSCs corresponding to 
a chaotic sequence (U''^ ^, is generated from the chaotic 
strategy used in the mixture stage. Thus, the C/'^-th least 
significant coefficient of the carrier image is substituted by 
the k*^ bit of the possibly mixed watermark. In the case of 
authentication, such a procedure leads to a choice of the LSCs 
which are highly dependent on the MSCs. For the detail of 
this stage see Section rVI-A2l 

3) Extraction.: The chaotic strategy can be regenerated, 
even in the case of an authenticated watermarking because the 
MSCs have not been changed during the stage of embedding 
the watermark. Thus, the few altered LSCs can be found, 
the mixed watermark can then be rebuilt, and the original 
watermark can be obtained. If the watermarked image is 
attacked, then the MSCs will change. Consequently, in the 
case of authentication and due to the high sensitivity of 
the embedding sequence, the LSCs designed to receive the 
watermark will be completely different. Hence, the result 
of the recovery will have no similarity with the original 
watermark: authentication is reached. 

VI. Evaluation of robustness 

In this section, a complete application example of the above 
chaotic watermarking method is given and its robustness to 
some attacks is studied. This case study enables us to precise 
the details of the algorithm and evaluate it. 

A. Stages and details 

1) Images description.: Carrier image is Lena, a 256 
grayscale image of size 256 x 256. The watermark is the 
64 X 64 pixels binary image depicted in Figure 2(a). The 
embedding domain will be the spatial domain. The selected 
MSCs are the four most significant bits of each pixel and the 
LSCs are the three last bits (a given pixel will at most be 
modified of four levels of gray by an iteration). Before its 
embedment, the watermark is mixed with chaotic iterations. 
The system to iterate, chaotic strategy 5*" and iterate function 
are defined below. 



(a)Watermark 



Table V: Attacks 





(b) Watermarked Lena (c)Differences with original. 
Figure 2. Watermarked Lena and differences 

2) Embedding of the watermark.: To embed the water- 
mark, the sequence {U^)k^K of altered bits taken from the 
M LSCs must be defined. To do so, the strategy {S^)k<^K of 
the encryption stage is used as follows 

jjn+i ^ ^-n+i + 2 X C/" + n {mod M) 



(3) 



to obtain the result depicted in Figure 2(b). The map ^ 20 
of the torus, which is a famous example of topological De- 
vaney's chaos has been chosen to make {U^)ket{ highly 
sensitive to the chaotic strategy {S^)k(zK- As a consequence, 
{U'')keK is highly sensitive to the alteration of the MSCs. 
In case of authentication, any significant modification of 
the watermarked image will lead to a completely different 
extracted watermark. 

B. Simulation results 

To prove the efficiency and the robustness of the proposed 
algorithm, some attacks are applied to our chaotically water- 
marked image. For each attack, a similarity percentage with 
the original watermark is computed. This percentage is the 
number of equal bits between the original and the extracted 
watermark, shown as a percentage. A result less than or 
equal to 50% implies that the image has probably not been 
watermarked. 

1) Cropping attack.: In this kind of attack, a watermarked 
image is cropped. In this case, the results in Table [V] have 
been obtained. 

In Figure 3, the decrypted watermarks are shown after 
a crop of 50 pixels and after a crop of 10 pixels, in the 
authentication case. 




(a)Unauthentication (10 x 10) (b)Authentication(lO x 10) 




(c)Unauthentication (50 x 50) 
Figure 3. Extracted watermark after a cropping attack. 

By analyzing the similarity percentage between the original 
and the extracted watermark, we can conclude that in the 
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case of unauthentication, the watermark still remains after a 
cropping attack. The desired robustness is reached. It can 
be noticed that cropping sizes and percentages are rather 
proportional. In the case of authentication, even a small 
change of the carrier image (a crop by 10 x 10 pixels) leads 
to a really different extracted watermark. In this case, any 
attempt to alter the carrier image will be signaled, thus the 
image is well authenticated. 

2) Rotation attack.: Let be the rotation of angle 9 
around the center (128, 128) of the carrier image. So, the 
transformation r^e o rg is applied to the watermarked image. 
The results in Table [V] have been obtained. The same conclu- 
sion as above can be declaimed. 

3) JPEG compression.: A JPEG compression is applied to 
the watermarked image, depending on a compression level. 
This attack leads to a change of the representation domain 
(from spatial to DCT domain). In this case, the results in 
Table rvl have been obtained, illustrating a good authentication 
through JPEG attack. As for the unauthentication case, the 
watermark still remains after a compression level equal to 10. 
This is a good result if we take into account the fact that we 
use spatial embedding. 

4} Gaussian noise.: A watermarked image can be also 
attacked by the addition of a Gaussian noise, depending on 
a standard deviation. In this case, the results in Table |V] are 
obtained. 

VII. Conclusions and future work 

In this paper, the PRNG proposed in ifTSll is improved, 
by using the famous XORshift generator By combining 
these components with chaotic iterations, we define a faster 
generator with chaotic properties. In addition to achieving 
the NIST tests suite, this new generator successfully passes 
all the stringent DieHARD battery of tests. The randomness 
and disorder generated by this algorithm has been evaluated. 



It offers a sufficient level of security for a whole range of 
computer usages. An application example in the field of data 
hiding is given and its robustness through attacks is studied. 
In future work, the speed of our generator will be improved 
again, the comparison of different chaotic strategies will be 
explored, and other iteration functions will be studied. Finally, 
new applications in computer science security field will be 
proposed. 
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